modify the Makefile and README document;add the constraints and limitations of the doc;fix the possible file leakage problem in util/cipher

VERSION-openeuler

@@ -1 +1 @@
-0.9.6-10
+0.9.6-11

git-commit

@@ -1 +1 @@
-b414e4354d73c69e624fd365df134ea0f80490df
+e88af88d105b4a5f68bd3a816ced949c3958353c

isula-build.spec

@@ -2,7 +2,7 @@
 
 Name: isula-build
 Version: 0.9.6
-Release: 10
+Release: 11
 Summary: A tool to build container images
 License: Mulan PSL V2
 URL: https://gitee.com/openeuler/isula-build
@@ -85,6 +85,12 @@ fi
 /usr/share/bash-completion/completions/isula-build
 
 %changelog
+* Fri Aug 19 2022 daisicheng <daisicheng@huawei.com> - 0.9.6-11
+- Type:bugfix
+- CVE:NA
+- SUG:restart
+- DESC:modify the Makefile and README document;add the constraints and limitations of the doc;fix the possible file leakage problem in util/cipher
+
 * Tue Jul 26 2022 lujingxiao <lujingxiao@huawei.com> - 0.9.6-10
 - Type:bugfix
 - CVE:NA

patch/0123-modify-the-Makefile-and-README-document.patch

@@ -0,0 +1,204 @@
+From d5deb4872dc30b56fb3d7a92c27b6180e3d3c6cf Mon Sep 17 00:00:00 2001
+From: daisicheng <daisicheng@huawei.com>
+Date: Wed, 17 Aug 2022 15:07:08 +0800
+Subject: [PATCH 1/3] modify the Makefile and README document
+
+---
+ Makefile     |  4 ++--
+ README.md    | 26 +++++++++++++++++---------
+ README.zh.md | 24 ++++++++++++++++--------
+ 3 files changed, 35 insertions(+), 19 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index c5384e0..4bdb064 100644
+--- a/Makefile
++++ b/Makefile
+@@ -46,8 +46,8 @@ help: ## Display the help info
+ 
+ ##@ Build
+ 
+-.PHONY: all ## Build both isula-build and isula-builder
+-all: isula-build isula-builder
++.PHONY: all 
++all: isula-build isula-builder ## Build both isula-build and isula-builder
+ 
+ .PHONY: isula-build
+ isula-build: ./cmd/cli ## Build isula-build only
+diff --git a/README.md b/README.md
+index a864363..4549f95 100644
+--- a/README.md
++++ b/README.md
+@@ -4,7 +4,7 @@ isula-build is a tool provided by the iSula team for building container images.
+ 
+ The tool adopts the server + client mode. The binary file `isula-build` is the client that provides a CLI for building and managing images, while `isula-builder` is the server that runs as a daemon in the background, responding all the requests from client.
+ 
+-You can use the CLI to
++User can use the CLI to
+ 
+ - Build an image from a Dockerfile (build).
+ - List all images in local store (image).
+@@ -36,7 +36,7 @@ In addition, the following capabilities are also provided:
+ 
+ #### Install from source.
+ 
+-For compiling from source on openEuler, these packages are required on your OS:
++For compiling from source on openEuler, these packages are required on user's OS:
+ 
+ - make
+ - golang (version 1.15 or later)
+@@ -50,7 +50,7 @@ For compiling from source on openEuler, these packages are required on your OS:
+ - bzip2
+ - systemd-devel
+ 
+-You can install them on openEuler with `yum`:
++User can install them on openEuler with `yum`:
+ 
+ ```sh
+ sudo yum install make btrfs-progs-devel device-mapper-devel glib2-devel gpgme-devel libassuan-devel libseccomp-devel git bzip2 go-md2man systemd-devel golang
+@@ -68,8 +68,16 @@ Enter the source code directory and begin compiling:
+ cd isula-build
+ sudo make
+ ```
++Five targets can be selected to compile under "Build" after the command is executed:
++- all
++- isula-build
++- isula-builder
++- safe
++- debug
+ 
+-After compiling success, you can install the binaries and default configuration files simply with:
++`sudo make all` compiles the client isula-build and server isula-builder. `sudo make isula-build` compiles only the client. `sudo make isula-builder` compiles only the server. `sudo make safe` compiles the client and server to generate secure binary files. `sudo make debug` compiles the client and server to  generate binary files containing debug. User can select targets to compile as required.
++
++After compiling success, user can install the binaries and default configuration files simply with:
+ 
+ ```sh
+ sudo make install
+@@ -77,7 +85,7 @@ sudo make install
+ 
+ #### Install as RPM package.
+ 
+-`isula-build` is now released with update pack of openEuler 20.03 LTS, you can install it using yum or rpm. Before you install, please enable "update" in the repo file.
++`isula-build` is now released with update pack of openEuler 20.03 LTS, user can install it using yum or rpm. Before user install, please enable "update" in the repo file.
+ 
+ ##### With `yum`
+ 
+@@ -85,11 +93,11 @@ sudo make install
+ sudo yum install -y isula-build
+ ```
+ 
+-**NOTE**: Please make sure the "update" part of your yum configuration is enabled. You can download the source of yum from [openEuler repo list](https://repo.openeuler.org/) and install it.
++**NOTE**: Please make sure the "update" part of user's yum configuration is enabled. User can download the source of yum from [openEuler repo list](https://repo.openeuler.org/) and install it.
+ 
+ ##### With `rpm`
+ 
+-You can download the RPM package of isula-build and intall it.
++User can download the RPM package of isula-build and intall it.
+ 
+ ```sh
+ sudo rpm -ivh isula-build-*.rpm
+@@ -108,7 +116,7 @@ sudo systemctl start isula-build
+ ```
+ 
+ #### Directly run the isula-builder binary file.
+-You can also run the isula-builder binary file on the server to start the service.
++User can also run the isula-builder binary file on the server to start the service.
+ 
+ ```sh
+ sudo isula-builder --dataroot="/var/lib/isula-build"
+@@ -120,7 +128,7 @@ sudo isula-builder --dataroot="/var/lib/isula-build"
+ 
+ For building container images, `runc` is required.
+ 
+-You can get `runc` by installing `docker` or `docker-runc` on your openEuler distro:
++User can get `runc` by installing `docker` or `docker-runc` on user's openEuler distro:
+ 
+ ```sh
+ sudo yum install docker
+diff --git a/README.zh.md b/README.zh.md
+index e9c2747..fd255a2 100644
+--- a/README.zh.md
++++ b/README.zh.md
+@@ -38,7 +38,7 @@ isula-build提供的命令行工具提供了很多功能，例如：
+ 
+ #### 从源码开始编译安装
+ 
+-为了顺利从源码编译，以下包需要被安装在你的操作系统中：
++为了顺利从源码编译，以下包需要被安装在用户的操作系统中：
+ 
+ - make
+ - golang（大于等于1.15版本）
+@@ -52,7 +52,7 @@ isula-build提供的命令行工具提供了很多功能，例如：
+ - bzip2
+ - systemd-devel
+ 
+-你可以通过`yum`安装这些依赖：
++用户可以通过`yum`安装这些依赖：
+ 
+ ```sh
+ sudo yum install make btrfs-progs-devel device-mapper-devel glib2-devel gpgme-devel libassuan-devel libseccomp-devel git bzip2 systemd-devel golang
+@@ -70,8 +70,16 @@ git clone https://gitee.com/openeuler/isula-build.git
+ cd isula-build
+ sudo make
+ ```
++执行该命令后可以看到"Build"下面有5个target可编译：
++- all
++- isula-build
++- isula-builder
++- safe
++- debug
+ 
+-编译成功之后，你可以通过该命令将编译完毕的二进制以及相关配置文件安装到系统中：
++其中`sudo make all`编译客户端isula-build和服务端isula-builder，`sudo make isula-build`仅编译客户端，`sudo make isula-builder`仅编译服务端，`sudo make safe`编译客户端和服务端生成安全编译的二进制文件，`sudo make debug`编译客户端和服务端生成带有debug的二进制文件，用户可以根据需求选择编译具体的target
++
++编译成功之后，用户可以通过该命令将编译完毕的二进制以及相关配置文件安装到系统中：
+ 
+ ```sh
+ sudo make install
+@@ -79,7 +87,7 @@ sudo make install
+ 
+ #### 通过RPM包安装
+ 
+-`isula-build`目前已经收录在openEuler的官方源中，你可以使用`yum`或者`rpm`安装该包：
++`isula-build`目前已经收录在openEuler的官方源中，用户可以使用`yum`或者`rpm`安装该包：
+ 
+ ##### 使用`yum`
+ 
+@@ -89,7 +97,7 @@ sudo yum install -y isula-build
+ > **注意：**
+ >
+ > 需要先enable repo配置的update部分
+-> 你可以在[openEuler repo list](https://repo.openeuler.org/)中找到对应的yum源进行安装
++> 用户可以在[openEuler repo list](https://repo.openeuler.org/)中找到对应的yum源进行安装
+ 
+ ##### 使用`rpm`
+ 
+@@ -113,7 +121,7 @@ sudo systemctl start isula-build
+ 
+ #### 直接运行二进制
+ 
+-你也可以直接运行isula-builder二进制开启服务：
++用户也可以直接运行isula-builder二进制开启服务：
+ 
+ ```sh
+ sudo isula-builder --dataroot="/var/lib/isula-build"
+@@ -125,7 +133,7 @@ sudo isula-builder --dataroot="/var/lib/isula-build"
+ 
+ 为了正确构建容器镜像，容器运行时`runc`是必要的
+ 
+-你可以通过安装`docker`或者`docker-runc`来获取`runc`二进制
++用户可以通过安装`docker`或者`docker-runc`来获取`runc`二进制
+ 
+ ```sh
+ sudo yum install docker
+@@ -139,7 +147,7 @@ sudo yum install docker-runc
+ 
+ #### 构建镜像
+ 
+-以下是一个简单的例子教你如何去构建一个容器镜像，更多的详细操作可以参考[使用指南](./doc/manual_zh.md#使用指南)
++以下是一个简单的例子教用户如何去构建一个容器镜像，更多的详细操作可以参考[使用指南](./doc/manual_zh.md#使用指南)
+ 
+ 创建一个构建工作目录，编写一个简单的dockerfile：
+ 
+-- 
+2.33.0
+

patch/0124-add-the-constraints-and-limitations-of-the-doc.patch

@@ -0,0 +1,37 @@
+From 288b90b101cd0f6fb1b22902d158f1c33146564c Mon Sep 17 00:00:00 2001
+From: daisicheng <daisicheng@huawei.com>
+Date: Fri, 19 Aug 2022 10:07:13 +0800
+Subject: [PATCH 2/3] add the constraints and limitations of the doc
+
+---
+ doc/manual_en.md | 1 +
+ doc/manual_zh.md | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/doc/manual_en.md b/doc/manual_en.md
+index e591e4f..dd6e7db 100644
+--- a/doc/manual_en.md
++++ b/doc/manual_en.md
+@@ -489,6 +489,7 @@ mybusybox                                latest       173b3cf612f8       2022-01
+ > **Note:**
+ >
+ > - isula-build supports the import of container basic images with a maximum size of 1 GiB.
++> - isula-build does not support concurrent import of the same basic container image.
+ 
+ #### load: Importing Cascade Images
+ 
+diff --git a/doc/manual_zh.md b/doc/manual_zh.md
+index 41cdf43..eb5c8ff 100644
+--- a/doc/manual_zh.md
++++ b/doc/manual_zh.md
+@@ -486,6 +486,7 @@ mybusybox                                latest       173b3cf612f8       2022-01
+ > **说明：**
+ >
+ > - isula-build 支持导入最大1GiB的容器基础镜像。
++> - isula-build 不支持并发导入相同的容器基础镜像。
+ 
+ #### load: 导入层叠镜像
+ 
+-- 
+2.33.0
+

patch/0125-fix-the-possible-file-leakage-problem-in-util-cipher.patch

@@ -0,0 +1,75 @@
+From 56228352ca1509f1d6dc7300c21c23bb7e0c0b12 Mon Sep 17 00:00:00 2001
+From: daisicheng <daisicheng@huawei.com>
+Date: Thu, 18 Aug 2022 19:22:56 +0800
+Subject: [PATCH 3/3] fix the possible file leakage problem in util/cipher.go
+
+---
+ util/cipher.go | 37 +++++++++++++++++++++----------------
+ 1 file changed, 21 insertions(+), 16 deletions(-)
+
+diff --git a/util/cipher.go b/util/cipher.go
+index c6fa555..193ca69 100644
+--- a/util/cipher.go
++++ b/util/cipher.go
+@@ -83,37 +83,42 @@ func DecryptRSA(data string, key *rsa.PrivateKey, h crypto.Hash) (string, error)
+ }
+ 
+ // GenRSAPublicKeyFile store public key from rsa key pair into local file
+-func GenRSAPublicKeyFile(key *rsa.PrivateKey, path string) error {
+-	if exist, err := IsExist(path); err != nil {
+-		return err
++func GenRSAPublicKeyFile(key *rsa.PrivateKey, path string) (err error) {
++	var exist bool
++	if exist, err = IsExist(path); err != nil {
++		return
+ 	} else if exist {
+-		if err := os.Remove(path); err != nil {
++		if err = os.Remove(path); err != nil {
+ 			return errors.Errorf("failed to delete the residual key file: %v", err)
+ 		}
+ 	}
+ 	publicKey := &key.PublicKey
+-	stream, err := x509.MarshalPKIXPublicKey(publicKey)
++	var stream []byte
++	stream, err = x509.MarshalPKIXPublicKey(publicKey)
+ 	if err != nil {
+-		return err
++		return
+ 	}
+ 	block := &pem.Block{
+ 		Type:  "RSA PUBLIC KEY",
+ 		Bytes: stream,
+ 	}
+-	file, err := os.Create(path)
++	var file *os.File
++	file, err = os.Create(path)
+ 	if err != nil {
+-		return err
++		return
+ 	}
+-	if err := os.Chmod(path, constant.DefaultReadOnlyFileMode); err != nil {
+-		return err
+-	}
+-	if err := pem.Encode(file, block); err != nil {
+-		return err
++	defer func() {
++		cErr := file.Close()
++		if cErr != nil && err == nil {
++			err = cErr
++		}
++	}()
++	if err = file.Chmod(constant.DefaultReadOnlyFileMode); err != nil {
++		return
+ 	}
+-	if cErr := file.Close(); cErr != nil {
+-		return cErr
++	if err = pem.Encode(file, block); err != nil {
++		return
+ 	}
+-
+ 	return nil
+ }
+ 
+-- 
+2.33.0
+

series.conf

@@ -31,3 +31,6 @@ patch/0119-config-golangci-lint-to-lint-unit-test.patch
 patch/0120-make-isula-build-store-more-simple.patch
 patch/0121-print-first-and-second-error-when-dockerfile-not-fou.patch
 patch/0122-registries.toml-could-not-be-empty-hosts-resolv.conf.patch
+patch/0123-modify-the-Makefile-and-README-document.patch
+patch/0124-add-the-constraints-and-limitations-of-the-doc.patch
+patch/0125-fix-the-possible-file-leakage-problem-in-util-cipher.patch